Looking for confirmation and relevant docs for a best practice/design pattern for a RESTful interface between an Android native application and a PHP website.
Does this make sense?
- HTTPS requests over SSL (so that communication is encrypted).
- OAuth2 for token based authentication (so that the user can authorize with the site initially with a username and password but then rely on an authorization token).
Anything missing? Is there a better approach? Are there general approaches for a persistent connection?
I have seen this approach used and its implementation was very secure. Instead of calling it an authToken, I refer to it as a sessionToken as mine were set to expire after a certain period of time and have the server request the username/password from the client again. This helps drop dead sessions and ensure that if someone has succeeded in maliciously getting the user’s sessionToken then they are thwarted the next time the app moves to HTTPS to provide credentials again (assuming you only use HTTPS over SSL for login). If all the traffic is sent over SSL then the use case would be to have the session token timeout for the benefit of the servers so they can clear out dead sessions.
*Just something to be aware of, sending all data over SSL is fairly cost heavy on the server compared to regular requests, so if you can avoid it without compromising security, it can really help with scalability.